From patchwork Tue Aug 1 22:46:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 13337338 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A0401EB64DD for ; Tue, 1 Aug 2023 22:47:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231858AbjHAWrJ (ORCPT ); Tue, 1 Aug 2023 18:47:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230398AbjHAWrH (ORCPT ); Tue, 1 Aug 2023 18:47:07 -0400 X-Greylist: delayed 18512 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 01 Aug 2023 15:47:06 PDT Received: from dvalin.narfation.org (dvalin.narfation.org [213.160.73.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E14391FC6 for ; Tue, 1 Aug 2023 15:47:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1690930025; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PHR/Ceyz+zF+hD08DGQG8Nbyef7sGRTfSEsJc2cgywQ=; b=mrssuWkinsKzLAVcizT+VbIKVMfZ8sGKoQbzLDgNdDettjzI75mHYqPDqIWHKYww40ZDtt HxtELkAkOugAojp4rlhGj6bwo400FKt/LyoyXHGPRnVjgG4JkX4KgX2yR+qQ5307K8aSss 1+Vry9zdw9OSE6fr2K13k74wopzZJZE= From: Sven Eckelmann Date: Wed, 02 Aug 2023 00:46:26 +0200 Subject: [PATCH v2 1/2] ath11k: Don't drop tx_status when peer cannot be found MIME-Version: 1.0 Message-Id: <20230802-ath11k-ack_status_leak-v2-1-c0af729d6229@narfation.org> References: <20230802-ath11k-ack_status_leak-v2-0-c0af729d6229@narfation.org> In-Reply-To: <20230802-ath11k-ack_status_leak-v2-0-c0af729d6229@narfation.org> To: Kalle Valo , Jeff Johnson , Pradeep Kumar Chitrapu Cc: Kalle Valo , ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, Felix Fietkau , Sven Eckelmann , stable@vger.kernel.org X-Mailer: b4 0.12.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=2204; i=sven@narfation.org; h=from:subject:message-id; bh=HRZoXCCJ8UfiG8qCssNPWEfidZon9wcj2whQmfFjpS0=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBkyYtPaaXRGe5hL8YZkiJ5gh9JoTh666OGBntxI jWSu2IjW/+JAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZMmLTwAKCRBdhwoHwSZ7 Rr8aD/9CJ3h275r6O4MZIzWNZTf1G1CCDt4OtOCWFUaq9Hb9FXE3TE/NEKC8vQXghGk7cbIMdQC 7IYFHRdu3SB2Qa4JAY7AeJ5aMQcIF8Kuk8pFSg9HCtNgIAUzyZCB6eUl05cQRGtFy8FCwWX1SNS KMofFZmhNGePn+H6ZglTJQcwt/6joWHvCmTolSWWfGGOIKo75ePtx9YO/pz5DtwbkNgSYkv4H63 9BRxLMH1+UgE6YVwDAFIAZT8Gw6pYEG+UW6ngMWRPs7o9W0+MJnsVuzXBsdDVzUy8Qir/FG9WuD lfTltxr9lQM8PSSUMcdw8Smf2AGb7/J8p6ybPBprJ2xrkdHbDLwVROboOwzlwHGDvL99UPVsxQu /+OdraQzeNMjdTc2myRupmvAu5IAFhRsSxx62b5tflrt4sdwOFxx+4aqEFvaBScRQbkr2nYve7q O8/fuDFJRLQf2sF1uZgWKURAL4CvTYF7JBinUq+j5JT+iWv2+LTEL5Xw8/Ad6jW3lxBUytlHzEQ VRe8+VYtd13Qqf48F0P6Z1BJueM4a4Y5fNU10MJeBm981gBSvThq49uI/3gTIfNYRMHPVvEbDlz /CSttv6RtweZILhgIGcjDlU5LrTlXf+Exse14ZRirthh+rCMWaUyB3+nmwkyXSzVVhuj8R2NgvV ZXo5F9Fsbdfob3A== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When a station idles for a long time, hostapd will try to send a QoS Null frame to the station as "poll". NL80211_CMD_PROBE_CLIENT is used for this purpose. And the skb will be added to ack_status_frame - waiting for a completion via ieee80211_report_ack_skb(). But when the peer was already removed before the tx_complete arrives, the peer will be missing. And when using dev_kfree_skb_any (instead of going through mac80211), the entry will stay inside ack_status_frames. This IDR will therefore run full after 8K request were generated for such clients. At this point, the access point will then just stall and not allow any new clients because idr_alloc() for ack_status_frame will fail. ieee80211_free_txskb() on the other hand will (when required) call ieee80211_report_ack_skb() and make sure that (when required) remove the entry from the ack_status_frame. Tested-on: IPQ6018 hw1.0 WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 Fixes: 6257c702264c ("wifi: ath11k: fix tx status reporting in encap offload mode") Fixes: 94739d45c388 ("ath11k: switch to using ieee80211_tx_status_ext()") Cc: stable@vger.kernel.org Signed-off-by: Sven Eckelmann --- drivers/net/wireless/ath/ath11k/dp_tx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c index a34833de7c67..27c976f52c7a 100644 --- a/drivers/net/wireless/ath/ath11k/dp_tx.c +++ b/drivers/net/wireless/ath/ath11k/dp_tx.c @@ -369,7 +369,7 @@ ath11k_dp_tx_htt_tx_complete_buf(struct ath11k_base *ab, "dp_tx: failed to find the peer with peer_id %d\n", ts->peer_id); spin_unlock_bh(&ab->base_lock); - dev_kfree_skb_any(msdu); + ieee80211_free_txskb(ar->hw, msdu); return; } spin_unlock_bh(&ab->base_lock); @@ -624,7 +624,7 @@ static void ath11k_dp_tx_complete_msdu(struct ath11k *ar, "dp_tx: failed to find the peer with peer_id %d\n", ts->peer_id); spin_unlock_bh(&ab->base_lock); - dev_kfree_skb_any(msdu); + ieee80211_free_txskb(ar->hw, msdu); return; } arsta = (struct ath11k_sta *)peer->sta->drv_priv; From patchwork Tue Aug 1 22:46:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 13337339 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DCBA1C001E0 for ; Tue, 1 Aug 2023 22:47:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231860AbjHAWrT (ORCPT ); Tue, 1 Aug 2023 18:47:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231987AbjHAWrO (ORCPT ); Tue, 1 Aug 2023 18:47:14 -0400 Received: from dvalin.narfation.org (dvalin.narfation.org [IPv6:2a00:17d8:100::8b1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D6311FF3; Tue, 1 Aug 2023 15:47:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1690930031; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wjSNp+Fc9Jt5MpoNE1r7E2tP2kQ/WOKZT6GzBaVgttM=; b=lcy/qjy21U7uUH8ft3i6bvD8CxwKsT0RiNOeNR+shWQkcPAZqI0vH9Zdv6p42G2+huThrm sMf/gHIaHmEgjEKcqFqY8q74SQATnsScxxq2uFJ4CwVFr5V3za6fNddmAdGO5ol3qPaOlD y0Jb8ATZqKLKwE0cAqyCFkDXuGNo8gQ= From: Sven Eckelmann Date: Wed, 02 Aug 2023 00:46:27 +0200 Subject: [PATCH v2 2/2] ath11k: Cleanup mac80211 references on failure during tx_complete MIME-Version: 1.0 Message-Id: <20230802-ath11k-ack_status_leak-v2-2-c0af729d6229@narfation.org> References: <20230802-ath11k-ack_status_leak-v2-0-c0af729d6229@narfation.org> In-Reply-To: <20230802-ath11k-ack_status_leak-v2-0-c0af729d6229@narfation.org> To: Kalle Valo , Jeff Johnson , Pradeep Kumar Chitrapu Cc: Kalle Valo , ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, Felix Fietkau , Sven Eckelmann , stable@vger.kernel.org X-Mailer: b4 0.12.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1741; i=sven@narfation.org; h=from:subject:message-id; bh=V0GmeAeeQt0aCXU2oj7g+5cgKTE+OL2dACM9u/oszNE=; b=owEBbQKS/ZANAwAKAV2HCgfBJntGAcsmYgBkyYtPfA2Rq4V9mZUnkITk5Gm63v2GRPrKuBSv6 6ajaM6q+F+JAjMEAAEKAB0WIQQXXSuHYSVz3OMy4AJdhwoHwSZ7RgUCZMmLTwAKCRBdhwoHwSZ7 RvadD/46pI0BWWi3m/aXoJQ8jAZK4ubVCvQ3WEWaNeq9m8r9Pc10Uy514F69GxAZCvlIuAPhNQv HXUw+Py6JuM+qXG4tuP5r2n41CAIP3NnP9uIQ9yw83QkL+qXaZoPqWVoFyDyV6RvmSLii1GdotF k5sCnHEQ4A6FGpMKSbEdzxVVIgJ6TzSGDYf8+BaCC3M6bWTyq9WbtZe3Yzuym4Nbjrs6KkxbnK/ sDxmkDoGgAnlMtydM6MFVcxuuSLdVoHvwVOl1AtI+guVY8eQkuxiDxx0UBzG4HtpbkREVEW7Vjs QaubdsFrH+9A293KKPkDwR0dxNaGa17ODPQlG0HuWbqrYSCqKr9Lbr9I17dRMLUYj3pxbmwob60 c8NoT3bHIPIP1izPfofUKysAaQQzYeFnsXxoc0D5gdUxK/l6B3zrxfT4jSm1QvzEjsickcE9qHQ 786/m0jICjaZdnYr7gKqrr3csyq3OiC1Ammul0936X9jcYe88Tl1s6xEXXUlqirk/+b8kGxr6O6 D+3xcGcGEcenMwn86Fo2Of3ZjQ7X6pM4kN8+yf83jQKkxZxQxR2/kRoVDEttKxbD6FgQcSiU2W3 sqckPRQgLkTaDbTZELhZCyOi6a9dhqbkYQsF2MmHVL5rCJu7Sz8rMo9lqAIQgOwL+WXJDbdhrZe Kqk98ePOKEtqcjw== X-Developer-Key: i=sven@narfation.org; a=openpgp; fpr=522D7163831C73A635D12FE5EC371482956781AF Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When a function is using functions from mac80211 to free an skb then it should do it consistently and not switch to the generic dev_kfree_skb_any (or similar functions). Otherwise (like in the error handlers), mac80211 will will not be aware of the freed skb and thus not clean up related information in its internal data structures. Not doing so lead in the past to filled up structure which then prevented new clients to connect. Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Fixes: 6257c702264c ("wifi: ath11k: fix tx status reporting in encap offload mode") Cc: stable@vger.kernel.org Signed-off-by: Sven Eckelmann --- drivers/net/wireless/ath/ath11k/dp_tx.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c index 27c976f52c7a..b85a4a03b37a 100644 --- a/drivers/net/wireless/ath/ath11k/dp_tx.c +++ b/drivers/net/wireless/ath/ath11k/dp_tx.c @@ -344,7 +344,7 @@ ath11k_dp_tx_htt_tx_complete_buf(struct ath11k_base *ab, dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE); if (!skb_cb->vif) { - dev_kfree_skb_any(msdu); + ieee80211_free_txskb(ar->hw, msdu); return; } @@ -566,12 +566,12 @@ static void ath11k_dp_tx_complete_msdu(struct ath11k *ar, dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE); if (unlikely(!rcu_access_pointer(ab->pdevs_active[ar->pdev_idx]))) { - dev_kfree_skb_any(msdu); + ieee80211_free_txskb(ar->hw, msdu); return; } if (unlikely(!skb_cb->vif)) { - dev_kfree_skb_any(msdu); + ieee80211_free_txskb(ar->hw, msdu); return; }